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Abstract. The Number Field Sieve (NFS) algorithm is the best known 
method to compute discrete logarithms (DL) in finite fields Fpo, with p 
medium to large and n > 1 small. This algorithm comprises four steps: 
polynomial selection, relation collection, linear algebra and finally, indi¬ 
vidual logarithm computation. The first step outputs two polynomials 
defining two number fields, and a map from the polynomial ring over 
the integers modulo each of these polynomials to Fp^^. After the relation 
collection and linear algebra phases, the (virtual) logarithm of a subset 
of elements in each number field is known. Given the target element in 
Fpn, the fourth step computes a preimage in one number field. If one can 
write the target preimage as a product of elements of known (virtual) 
logarithm, then one can deduce the discrete logarithm of the target. 

As recently shown by the Logjam attack, this final step can be critical 
when it can be computed very quickly. But we realized that computing 
an individual DL is much slower in medium- and large-characteristic 
non-prime fields Fp" with n > 3, compared to prime fields and quadratic 
fields Fp 2 . We optimize the first part of individual DL: the booting step, 
by reducing dramatically the size of the preimage norm. Its smoothness 
probability is higher, hence the running-time of the booting step is much 
improved. Our method is very efficient for small extension fields with 
2 < n < 6 and applies to any n > 1, in medium and large characteristic. 


Keywords: Discrete logarithm, finite field, number field sieve, individual loga¬ 
rithm. 


* Copyright lACR 2015. This article is a minor revision of the ASIACRYPT 
2015 final version. The version published by Springer-Verlag is available at 
http://dx.doi.org/10.1007/978-3-662-48797-6_7. 

** This research was partially funded by Agence Nationale de la Recherche grant ANR- 
12-BS02-0001. 

* * ** * Publisher version September, 7th 2015, revised May, 26th 2016. 



1 Introduction 


1.1 Cryptographic Interest 

Given a cyclic group (G, •) and a generator g of G, the discrete logarithm (DL) 
of a; e G is the element 1 < a < #G such that x = g°'. In well-chosen groups, 
the exponentiation {g, a) i—>■ is very fast but computing a from [g, x) is con¬ 
jectured to be very difficult: this is the Discrete Logarithm Problem (DLP), at 
the heart of many asymmetric cryptosystems. The first group proposed for DLP 
was the multiplicative group of a prime finite field. Nowadays, the group of 
points of elliptic curves defined over prime fields are replacing the prime fields 
for DLP-based cryptosystems. In pairing-based cryptography, the finite fields 
are still used, because they are a piece in the pairing mechanism. It is impor¬ 
tant in cryptography to know precisely the difficulty of DL computation in the 
considered groups, to estimate the security of the cryptosystems using them. Fi¬ 
nite fields have a particularity: there exists a subexponential-time algorithm to 
compute DL in finite fields of medium to large characteristic: the Number Field 
Sieve (NFS). In small characteristic, this is even better: a quasi-polynomial-time 
algorithm was proposed very recently [7]. 

In May 2015, an international team of academic researchers revealed a surpris¬ 
ingly efficient attack against a Diffie-Hellman key exchange in TLS, the Logjam 
attack [2]. After a seven-day-precomputation stage (for relation collection and 
linear algebra of NFS-DL algorithm), it was made possible to compute any given 
individual DL in about one minute, for each of the two targeted 512-bit prime 
finite fields. This was fast enough for a man-in-the-middle attack. This experi¬ 
ence shows how critical it can be to be able to compute individual logarithms 
very fast. 

Another interesting application for fast individual DL is batch-DLP, and 
delayed-target DLP: in these contexts, an attacker aims to compute several DL 
in the same finite field. Since the costly phases of relation collection and lin¬ 
ear algebra are only done one time for any fixed finite field, only the time for 
one individual DL is multiplied by the number of targets. This context usually 
arises in pairing-based cryptography and in particular in broadcast protocols 
and traitor tracing schemes, where a large number of DLP-based public/private 
key pairs are generated. The time to compute one individual DL is important in 
this context, even if parallelization is available. 

1.2 The Number Field Sieve Algorithm for DL in Finite Fields 

We recall that the NFS algorithm is made of four steps: polynomial selection, 
relation collection, linear algebra and finally, individual logarithm computation. 
This last step is mandatory to break any given instanee of a discrete logarithm 
problem. The polynomial selection outputs two irreducible polynomials / and g 
defining two number fields Kf and Kg. One considers the rings Rf = Z[x]/{f{x)) 
and Rg = Z[x\/{g{x)). There exist two maps Pf,Pg to F^n, as shown in the 
following diagram. Moreover, the monic polynomial defining the finite field is 
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Rf = I[x\/{f{x)) Z[yl/(fl(y)) = Rg 

pf : X y^g '-V ^ z 

Fp» =FpM/(V>(z)) 

Fig. 1. NFS diagram 


■0 = gcd{f,g) mod p, of degree n. In the remaining of this paper, we will only 
use p = Pf, K = Kf and Rf. After the relation collection and linear algebra 
phases, the (virtual) logarithm of a subset of elements in each ring Rf,Rg is 
known. The individual DL step computes a preimage in one of the rings Rf, Rg 
of the target element in F^n. If one can write the target preimage as a product of 
elements of known (virtual) logarithm, then one can deduce the individual DL 
of the target. The key point of individual DL computation is finding a smooth 
decomposition in small enough factors of the target preimage. 

1.3 Previous Work on Individual Discrete Logarithm 

The asymptotic running time of NFS algorithm steps are estimated with the 
L-function: 

LQ[a,c] = exp^(c + o(I))(logQ)“(loglog(5)^““^ with a G [0,1] and c > 0 . 

The a parameter measures the gap between polynomial time (Lq[q! = 0,c] = 
log° Q) and exponential time {LQ[a = 1, c] = (5°). When c is implicit, or obvious 
from the context, we simply write Lq[q;]. When the complexity relates to an 
algorithm for a prime field Fp, we write Lp[a, c]. 

Large prime fields. Many improvements for computing discrete logarithms first 
concerned prime fields. The first subexponential DL algorithm in prime fields was 
due to Adleman [1] and had a complexity of Lp[I/2,2]. In 1986, Coppersmith, 
Odlyzko and Schroeppel [13] introduced a new algorithm (COS), of complexity 
Lp[l/2,I]. They computed individual DL [13, §6] in Lp[l/2,l/2] in two steps 
(finding a boot of medium-sized primes, then finding relations of logarithms in 
the database for each medium prime). In these two algorithms, the factor basis 
was quite large (the smoothness bound was Lp[l/2, 1/2] in both cases), providing 
a much faster individual DL compared to relation collection and linear algebra. 
This is where the common belief that individual logarithms are easy to find 
(and have a negligible cost compared with the prior relation collection and linear 
algebra phases) comes from. 

In 1993, Gordon [15] proposed the first version of NFS-DL algorithm for 
prime fields Fp with asymptotic complexity Lp[l/3,9^/^ ~ 2.08]. However, with 
the Lp [1/3] algorithm there are new difficulties, among them the individual DL 
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phase. In this Lp[l/3] algorithm, many fewer logarithms of small elements are 
known, because of a smaller smoothness bound (in Lp[l/3] instead of Lp[l/2]). 
The relation collection is shortened, explaining the Tp[l/3] running time. But in 
the individual DL phase, since some non-small elements in the decomposition of 
the target have an unknown logarithm, a dedicated sieving and linear algebra 
phase is done for each of them. Gordon estimated the running-time of individual 
DL computation to be Lp[l/3, 9^/^ ~ 2.08], i.e. the same as the first two phases. 
In 1998, Weber [24, §6] compared the NFS-DL algorithm to the COS algorithm 
for a 85 decimal digit prime and made the same observation about individual 
DL cost. 

In 2003, ten years after Gordon’s algorithm, Joux and Lercier [17] were the 
first to dissociate in NFS relation collection plus linear algebra on one side and 
individual DL on the other side. They used the special-q technique to find the 
logarithm of medium-sized elements in the target decomposition. In 2006, Com- 
meine and Semaev [II] analyzed the Joux-Lercier method. They obtained an 
asymptotic complexity of Lp[l/3, 3^/^ ~ 1.44] for computing individual loga¬ 
rithms, independent of the relation collection and linear algebra phases. In 2013, 
Barbulescu [4, §4, §7.3] gave a tight analysis of the individual DL computation 
for prime fields, decomposed in three steps: booting (also called smoothing), 
descent, and final combination of logarithms. The booting step has an asymp¬ 
totic complexity of Lp[I/3,1.23] and the descent step of Lp[l/3,1.21]. The final 
computation has a negligible cost. 

Non-prime fields of medium to large characteristie. In 2006, Joux, Lercier, Smart 
and Vercauteren [19] computed a discrete logarithm in a cubic extension of a 
prime field. They used the special-g descent technique again. They proposed for 
large characteristic fields an equivalent of the rational reconstruction technique 
for prime fields and the Waterloo algorithm [8] for small characteristic fields, 
to improve the initializing step preceding the descent. For DLs in prime fields, 
the target is an integer modulo p. The rational reconstruction method outputs 
two integers of half size compared to p, such that their quotient is equal to the 
target element modulo p. Finding a smooth decomposition of the target modulo 
p becomes equivalent to finding a (simultaneous) smooth decomposition of two 
elements, each of half the size. We explain their method (that we call the JLSV 
fraction method in the following) for extension fields in Sec. 2.3. 

Link with polynomial selection. The running-time for finding a smooth decompo¬ 
sition depends on the norm of the target preimage. The norm preimage depends 
on the polynomial defining the number field. In particular, the smaller the co¬ 
efficients and degree of the polynomial, the smaller the preimage norm. Some 
polynomial selection methods output polynomials that produce much smaller 
norm. That may be one of the reasons why the record computation of Joux et al. 
[19] used another polynomial selection method, whose first polynomial has very 
small coefficients, and the second one has coefficients of size 0{p). Thanks to the 
very small coefficients of the first polynomial, their fraction technique was very 
useful. Their polynomial selection technique is now superseded by their JLSVi 
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method [19, §2.3] for larger values of p. As noted in [19, §3.2], the fraction tech¬ 
nique is useful in practice for small n. But for the JLSVi method and n > 3, this 
is already too slow (compared to not using it). In 2008, Zajac [25] implemented 
the NFS-DL algorithm for computing DLs in F^e with p of 40 bits (12 decimal 
digits (dd), i.e. F^e of 240 bits or 74 dd). He used the methods described in 
[19], with a first polynomial with very small coefficients and a second one with 
coefficients in 0(p). In this case, individual DL computation was possible (see 
the well-documented [25, §8.4.5]). In 2013, Hayasaka, Aoki, Kobayashi and Tak- 
agi [16] computed a DL in Fpi 2 with p = 122663 (p” of 203 bits or 62 dd). We 
noted that all these records used the same polynomial selection method, so that 
one of the polynomials has very small coefficients (e.g. f = — 2x — 1) 

whereas the second one has coefficients in 0{p). 

In 2009, Joux, Lercier, Naccache and Thome [18] proposed an attack of DLP 
in a protocol context. The relation collection is sped up with queries to an 
oracle. They wrote in [18, §B] an extended analysis of individual DL computation. 
In their case, the individual logarithm phase of the NFS-DL algorithm has a 
running-time of Lq[ 1/3, c] where c = 1.44 in the large characteristic case, and 
c = 1.62 in the medium characteristic case. In 2014, Barbulescu and Pierrot 
[3] presented a multiple number field sieve variant (MNFS) for extension fields, 
based on Coppersmith’s ideas [12]. The individual logarithm is studied in [3, 
§A]. They also used a descent technique, for a global estimated running time 
in Lq[ 1/3, (9/2)^/^], with a constant c « 1.65. Recently in 2014, Barbulescu, 
Gaudry, Guillevic and Morain [5,6] announced 160 and 180 decimal digit discrete 
logarithm records in quadratic fields. They also used a technique derived from 
the JLSV fraction method and a special-g descent technique, but did not give 
an asymptotic running-time. It appears that this technique becomes inefficient 
as soon as n = 3 or 4. 

Overview of NFS-DL asymptotic complexities. The running-time of the relation 
collection step and the individual DL step rely on the smoothness probability of 
integers. An integer is said to be H-smooth if all its prime divisors are less than 
B. An ideal in a number field is said to be H-smooth if it factors into prime 
ideals whose norms are bounded by B. Usually, the relation collection and the 
linear algebra are balanced, so that they have both the same dominating asymp¬ 
totic complexity. The NFS algorithm for DL in prime and large characteristic 
fields has a dominating complexity of Lq[ 1/3, (^)^/^ — 1.923]. For the individ¬ 
ual DL in a prime field Fp, the norm of the target preimage in the number field 
is bounded by p. This bound gives the running time of this fourth step (much 
smaller than relation collection and linear algebra). Finding a smooth decom¬ 
position of the preimage and computing the individual logarithm (see [II]) has 
complexity Lp[l/3, c] with c = 1.44, and c = 1.23 with the improvements of [4]. 
The booting step is dominating. In large characteristic fields, the individual DL 
has a complexity of Lq[1/3, 1.44], dominated by the booting step again ([18, §B] 
for JLSV 2 , Table 3 for gJL). 

In generic medium characteristic fields, the complexity of the NFS algo¬ 
rithm is Lq[ 1/3, ("!^)^/^ = 2.42] with the JLSVi method proposed in [19, §2.3], 
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Lq[ 1/3, = 2.20] with the Conjugation method [6], and Lq[1/3, 2.156] 

with the MNFS version [23]. We focus on the individual DL step with the JLSVi 
and Conjugation methods. In these cases, the preimage norm bound is in fact 
much higher than in prime fields. Without any improvements, the dominating 
booting step has a complexity of Lq[1/3,c] with c = 1.62 [18, §C] or c = 1.65 
[3, §A]. However, this requires to sieve over ideals of degree 1 < t < n. For 
the Conjugation method, this is worse: the booting step has a running-time of 
Lq[1/3,61/3~i. 82] (see our computations in Table 3). Applying the JLSV frac¬ 
tion method lowers the norm bound to 0{Q) for the Conjugation method. The 
individual logarithm in this case has complexity Lq[ 1/3, 3^^^] as for prime fields 
(without the improvements of [4, §4]). However, this method is not suited for 
number fields generated with the JLSVi method, for n > 3. 

1.4 Our Contributions 

In practice, we realized that the JLSV fraction method which seems interesting 
and sufficient because of the 0{Q) bound, is in fact not convenient for the gJL 
and Conjugation methods for n greater than 3. The preimage norm is much too 
large, so finding a smooth factorization is too slow by an order of magnitude. 
We propose a way to lift the target from the finite field to the number field, 
such that the norm is strictly smaller than 0{Q) for the gJL and Conjugation 
methods: 

Theorem 1. Let n > 1 and s € F*„ a random element (not in a proper subfield 
of¥pn). We want to eompute its diserete logarithm modulo i, where i \ <Pnip), 
with L>n the n-th eyclotomic polynomial. Let Kf be the number field given by a 
polynomial selection method, whose defining polynomial has the smallest coeffi¬ 
cient size, and Rf = Z[a;]/(/(x)). Then there exists a preimage r in Rf of some 
r G F*„, such that logp(r) = logs (mod fi) and such that the norm of r in Kf 
is bounded by 0{Q^), where e is equal to 

1. 1 — i for the gJL and Conjugation methods; 

2. I — ^ for the JLSVi method; 

3. 1— ^ for the Conjugation method, if Kf has a well-chosen quadratic subfield 
satisfying the conditions of Lemma 3; 

4- \ ~ for the JLSVi method, if Kf has a well-chosen quadratic subfield 
satisfying the conditions of Lemma 3. 

Our method reaches the optimal bound of with (p{n) the Euler totient 

function, for n = 2, 3,4, 5 combined with the gJL or the Conjugation method. We 
show that our method provides a dramatic improvement for individual logarithm 
computation for small n: the running-time of the booting step (finding boots) 
is Lq[ 1/3, c] with c = 1.14 for n = 2,4, c = 1.26 for n = 3, 6 and c = 1.34 for 
n = 5. It generalizes to any n, so that the norm is always smaller than 0{Q) 
(the prime field case), hence the booting step running-time in Lq[1/3,c] always 
satisfies c < 1.44 for the two state-of-the-art variants of NFS for extension fields 
(we have c = 1.44 for prime fields). For the JLSVi method, this bound is satisfied 
for n = 4, where we have c = 1.38 (see Table 3). 
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1.5 Outline 


We select three polynomial selection methods involved for NFS-DL in generic 
extension fields and recall their properties in Sec. 2.1. We recall a commonly used 
bound on the norm of an element in a number field (Sec. 2.2). We present in 
Sec. 2.3 a generalization of the JLSV fraction method of [19]. In Sec. 3.1 we give 
a proof of the booting step complexity stated in Lemma 1. We sketch in Sec. 3.2 
the special-q descent technique and list the asymptotic complexities found in 
the literature according to the polynomial selection methods. We present in 
Sec. 4 our main idea to reduce the norm of the preimage in the number field, 
by reducing the preimage coefficient size with the LLL algorithm. We improve 
our technique in Sec. 5 by using a quadratic subfield when available, to finally 
complete the proof of Theorem 1. We provide practical examples in Sec. 6, for 
180 dd finite fields in Sec. 6.1 and we give our running-time experiments for a 
120 dd finite field Fp4 in Sec. 6.2. 

2 Preliminaries 

We recall an important property of the LLL algorithm [21] that we will widely 
use in this paper. Given a lattice C of Z" defined by a basis given in an n x n 
matrix L, and parameters \ <6<l,\<rj< y/6, the LLL algorithm outputs 
a (? 7 , 5)-reduced basis of the lattice, the coefficients of the first (shortest) vector 
are bounded by 

((5-r72)^det(L)i/” . 

With (? 7 ,5) close to (0.5,0.999) (as in NTL or magma), the approximation factor 
C = (S — is bounded by 1.075”“^ (see [10, §2.4.2])). Gama and Nguyen 

experiments [14] on numerous random lattices showed that on average, C « 
1.021". In the remaining of this paper, we will simply denote by C this LLL 
approximation factor. 

2.1 Polynomial Selection Methods 

We will study the booting step of the NFS algorithm with these three polynomial 
selection methods: 

1. the Joux-Lercier-Smart-Vercauteren (JLSVi) method [19, §2.3]; 

2. the generalized Joux-Lercier (gJL) method [22, §2], [6, §3.2]; 

3. the Conjugation method [6, §3.3]. 

In a non-multiple NFS version, the JLSV 2 [19, §2.3] and gJL methods have the 
best asymptotic running-time in the large characteristic case, while the Conjuga¬ 
tion method holds the best one in the medium characteristic case. However for 
a record computation in Fp 2 , the Conjugation method was used [6]. For medium 
characteristic fields of record size (between 150 and 200 dd), is seems also that 
the JLSVi method could be chosen ([6, §4.5]). Since the use of each method is 
not fixed in practice, we study and compare the three above methods for the 
individual logarithm step of NFS. We recall now the construction and properties 
of these three methods. 
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Joux-Lercier-Smart-Vercauteren (JLSVi) Method. This method was introduced 
in 2006. We describe it in Algorithm 1. The two polynomials f,g have degree n 
and coefficient size We set xp = gcd(/, g) mod p monic of degree n. We 

will use Ip to represent the finite field extension F^n = ¥p[x]/{'tp{x)). 


Algorithm 1: C:JLSV06 

1 JPolynomial selection with the JLSVi method [19, §2.3] Input: p prime and n 

integer 

Output: /, g, xp with f,g(z Ipx] irreducible and xp = gcd(/ mod p, g mod p) in 
Fp[a;] irreducible of degree n 

2 Select fi{x), fo{x), two polynomials with small integer coefficients, 
deg fi < deg /o = n 

3 repeat 

4 I choose y ~ \ ^/p] 

5 until f ~ fo + yfi is irreducible in Fp[a:] 

6 (u, u) a rational reconstruction of y modulo p 

7 g-^ v}o + ufi 

8 return (/, g,xp = f mod p) 


Generalized Joux-Lercier (gJL) Method. This method was independently pro¬ 
posed in [22, §2] and [4, §8.3] (see also [6, §3.2]). This is a generalization of the 
Joux-Lercier method [17] for prime fields. We sketch this method in Algorithm 2. 
The coefficients of g have size and those of / have size O(logp), with 

deg g = d> n and deg f = d+1. 


Algorithm 2: Polynomial selection with the gJL method 
Input: p prime, n integer and d> n integer 

Output: f,g,xp with f,g & h[x] irreducible and xp = gcd(/ mod p,g modp) in 
Fp[a;] irreducible of degree n 

1 Choose a polynomial f{x) of degree d -|- 1 with small integer coefficients which 
has a monic irreducible factor xp{x) = xpo + xpix + ■ ■ ■ + x'^ of degree n modulo p 

2 Reduce the following matrix using LLL 


M = 


P 

Xpo Xpl ■■ ■ 1 


deg xp = n 


d -I- 1 — n 


, to get LLL(M) = 


xpo xpl ■■■ ij 
return {f,g = go + gix-\ -h gdx'^, xp) 


go gi ■■■ gd 









Conjugation Method. This method was published in [6] and used for the discrete 
logarithm record in Fp 2 , with f = x'^ + 1. The coefficient size of / is in O(logp) 
and the coefficient size of g is in We describe it in Algorithm 1. 


Algorithm 3: EC:BGGM15 


1 


2 

3 

4 

5 

6 

7 

8 
9 


JPolynomial selection with the Conjugation method [6, §3.3] Input: p prime 
and n integer 

Output: /, g, tp with f,g£ Z[a;] irreducible and ^|J = gcd(/ mod p, g mod p) in 
Fp[a:] irreducible of degree n 

repeat 

Select gi{x), go{x), two polynomials with small integer coefficients, 
deg gi < deg go = n 

Select PyiY) a quadratic, monic, irreducible polynomial over Z with small 
coefficients 

until PyiY) has a root y in Fp and ip{x) = go{x) + ygiix) is irreducible in Fp[a:] 
f^ResYiPyiY),goix) + Ygiix)) 

{u, v) t— a rational reconstruction of y 
g^vgo+ ugi 

return 


Table 1. Properties: degree and coefficient size of the three polynomial selection meth¬ 
ods for NFS-DL in Fpn. The coefficient sizes are in 0{X). To lighten the notations, we 
simply write the X term. 


method 

deg/ 

deg 3 

ii/ik 

llfliloc 

JLSVi 

n 

n 

gl/2n 

gl/2n 

gJL 

d + 1 > n 

d> n 

logp 

-gTTTH+TT 

Conjugation 

2n 

n 

logp 

—qTTI^ 


2.2 Norm Upper Bound in a Number Field 

In Sec. 4 we will compute the norm of an element s in a number field Kf. We 
will need an upper bound of this norm. For all the polynomial selection methods 
chosen, / is monic, whereas g is not. We remove the leading coefficient of / from 
any formula involved with a monic /. So let / be a monic irreducible polynomial 
over Q and let Kf = Q[x]/{f{x)) a number field. Write s G Kf as a polynomial 
in X, i.e. s = ^ Six"^. The norm is defined by a resultant computation: 

Normif^/Q(s) = Res(/, s) . 

We use Kalkbrener’s bound [20, Corollary 2] for an upper bound: 

|Res(/,s)| < K(deg/,degs) • 
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where K{n,m) = ^), and 111/11,,^ = maxo<*<deg/ \fi\ the absolute 

value of the greatest coefficient. An upper bound for K{n, m) is {n + m)\. We will 
use the following bound in Sec. 4: 

|Norm;,^/Q(s)| < (deg/+ degs)!|||/||l««^|||s||l««^ . (1) 

2.3 Joux Lercier Smart Vercauteren Fraction Method 

Notation 1 Row and column indices. In the following, we will define matrices 
of size d X d, with d > n. For ease of notation, we will index the rows and 
eolumns from 0 to d — 1 instead of 1 to d, so that the (i + \)-th row at index 
i, Li = can be written in polynomial form 

column index j coineides with the degree j of . 

In 2006 was proposed in [19] a method to generalize to non-prime fields the 
rational reconstruction method used for prime fields. In the prime field setting, 
the target is an integer modulo p. The rational reconstruction method outputs 
two integers of half size compared to p and such that their quotient is equal to the 
target element modulo p. Finding a smooth decomposition of the target modulo 
p becomes equivalent to finding at the same time a smooth decomposition of two 
integers of half size each. 

To generalize to extension fields, one writes the target preimage as a quotient 
of two number field elements, each with a smaller norm compared to the original 
preimage. We denote by s the target in the finite field Fpn and by s a preimage 
(or lift) in K. Here is a first very simple preimage choice. Let Fpn = ¥p\x\/(pl}{x)) 
and s = with degs < n. We lift the coefficients Si G Fp to 

Si a'L then we set a preimage of s in the number field K to be 

deg s 

s = , 

i^O 

with X such that K = Q[A]/(/(A)). (We can also write s = XS* Sia\ with 
a a root of / in the number field: K = Q[q;]). We have p{s) = s. 

Now LLL is used to obtain a quotient whose numerator and denominator 
have smaller coefficients. We present here the lattice used with the JLSVi poly¬ 
nomial selection method. The number field K is of degree n. We define a lattice 
of dimension 2n. For the corresponding matrix, each column of the left half 
corresponds to a power of X in the numerator; each column of the right half 
corresponds to a power of X in the denominator. The matrix is 

p 0 

p n-l 

So . • . Sn-l 1 n 

sa;"“^ (mod ip) 1 2 n-i 

2nx2n 
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The first n coefficients of the output vector, wo,mi, ■ • ■ ,Un-i give a numerator 
u and the last n coefficients give a denominator v, so that s = with a a 

scalar in Q. The coefficients Ui,Vi are bounded by |lu||oo, Ikiloo < since 

the matrix determinant is det L = p^ and the matrix is of size 2n x 2n. However 
the product of the norms of each u, v in the number field K will be much larger 
than the norm of the single element s because of the large coefficients of / in 
the norm formula. We use formula (1) to estimate this bound: 

Norm;,/Q(u) < = O(ptpV) = 0(p"-5) = 0{Q^-^) 

and the same for Norm/f/Q(u), hence the product of the two norms is bounded 
by 0{Q'^~«). The norm of s is bounded by Norm; 4 ;/Q(s) < 
which is much smaller whenever n > 3. Finding a smooth decomposition of u and 
V at the same time will be much slower than finding one for s directly, for large 
p and n > 3. This is mainly because of the large coefficients of / (in 


Application to gJL and Conjugation Method. The method of [19] to 
improve the smoothness of the target norm in the number field Kf has an ad¬ 
vantage for the gJL and Conjugation methods. First we note that the number 
field degree is larger than n: this is(i-|-l>n-|-l for the gJL method and 2n 
for the Conjugation method. For ease of notation, we denote by d/ the degree 
of /. We define a lattice of dimension 2df. Hence there is more place to reduce 
the coefficient size of the target s. 

We put p on the diagonal of the first n — 1 rows, then x^tp{x) coefficients 
from row n to df — 1, where 0 ^ f < d/ — 1 is of degree n and has n -I- 1 
coefficients). The rows from index df to 2d/ are filled with mod / (these 
elements have dj coefficients). We obtain a triangular matrix L. 


0 


L = 


P 

IpO ■■■ Ipn-l 1 

f/'O • • • i’n-1 1 

Sq . . . 1 


n—1 

n 


df-i 

df 


X‘^f mod / 


ij 2df 

‘2.df X ‘2df 


Since the determinant is detL = p" and the matrix of dimension 2d/ x 2d/, 
the coefficients obtained with LLL will be bounded by Cp^. The norm of the 
numerator or the denominator (with s = u{X)/v{X) G Kf) is bounded by 

Norm;,,/Q(u) < = 0(p"/^) = . 
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The product of the two norms will be bounded by 0{Q) hence we will have the 
same asymptotic running time as for prime fields, for finding a smooth decom¬ 
position of the target in a number field obtained with the gJL or Conjugation 
method. We will show in Sec. 4 that we can do even better. 


3 Asymptotic Complexity of Individual DL Computation 


3.1 Asymptotic Complexity of Initialization or Booting Step 

In this section, we prove the following lemma on the booting step running-time 
to find a smooth decomposition of the norm preimage. This was already proven 
especially for an initial norm bound of 0{Q). We state it in the general case of 
a norm bound of Q^. The smoothness bound B = Lq[ 2/3,7] used here is not 
the same as for the relation collection step, where the smoothness bound was 
Bo = Tq[1/3,/3o]- Consequently, the special-g output in the booting step will be 
bounded by B. 

Lemma 1 (Running-time of B-smooth decomposition). Let s G Fq of 

order i. Take at random t G [1, f — 1] and assume that the norm St of a preimage 
of s* G Fq, in the number field Kf, is bounded by = LQ[l,e]. Write B = 
Lq [ 03 , 7 ] the smoothness bound for St ■ Then the lower bound of the expected 
running time for finding t s.t. the norm St of s* is B-smooth is Lq[1/3, (3e)^/^], 
obtained with as = 2/3 and 7 = (e^/3)^/^. 

First, we need a result on smoothness probability. We recall the definition of 
B-smoothness already stated in Sec. 1.4: an integer S is B-smooth if and only if 
all its prime divisors are less than or equal to B. We also recall the L-notation 
widely used for sub-exponential asymptotic complexities: 

Lqla, c] = exp^(c -I- o(l)) (log (5)“(log log (5)^““^ with a G [0, 1] and c > 0 . 

The Canfield-Erdds-Pomerance [9] theorem provides a useful result to measure 
smoothness probability: 

Theorem 2 (B-smoothness probability). Suppose 0 < as < as < 1, cr > 

0, and l3 > 0 are fixed. For a random integer S bounded by Bg[ 05 ,( 7 ] and a 
smoothness bound B = LQ[aB,P], the probability that S is B-smooth is 


Pr)^ is B-smooth) 


Lq 


as — as,—{as — as)- 


( 2 ) 


for Q —>■ 00 . 

We prove now the Lemma 1 that states the running-time of individual loga¬ 
rithm when the norm of the target in a number field is bounded by 0((5®). 

Proof (of Lemma 1). From Theorem 2, the probability that S bounded by 
Q® = Bg[l,e] is B-smooth with B = Bg[aB, 7 ] is Pr(S' is B-smooth) = Bq [l — 
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asj—(1 — as);^]- We assume that a S-smoothness test with ECM takes time 
Lb[1/2, 2^/^] = Lq[^, (27q;_b)^^^]- The running-time for finding a i3-smooth de¬ 
composition of S is the ratio of the time per test (ECM cost) to the B-smoothness 
probability of S: 


Lq 11 - as, (1 - as) 


L 2 


7J 


We optimize first the a value, so that a < 1/3 (that is, not exceeding the a of 
the two previous steps of the NFS algorithm): max(Q:B/2 ,1 — as) < | ■ This 
ctB ^ 2/3 
cxb ^ 2/3 

for finding a _B-smooth decomposition of S is therefore 


gives the system 


So we conclude that ob = §■ The running-time 


Tq[i/3,( 


4 \i/2 e 


:7 + 


37 J 


The minimum^ of the function 7 1 —>■ (| 7 )^/^ -I- ^ is (3e)^/^, corresponding to 
7 = (e^/3)^/^, which yields our optimal running time, together with the special-g 
bound B-. 


Lq 


l/3,(3e)i/3 


with q < B = Lq 


2/3, (eV3)^/^ 


□ 


3.2 Running-Time of Special-q Descent 


The second step of the individual logarithm computation is the special-q descent. 
This consists in computing the logarithms of the medium-sized elements in the 
factorization of the target in the number field. The first special-g is of order 
Tq[ 2 / 3 , 7 ] (this is the boot obtained in the initialization step) and is the norm 
of a degree one prime ideal in the number field where the booting step was done 
(usually Kf). The idea is to sieve over linear combinations of degree one ideals, 
in Kf and Kg at the same time, whose norms for one side will be multiples of q 
by construction, in order to obtain a relation involving a degree one prime ideal 
of norm q and other degree one prime ideals of norm strictly smaller than q. 

Here is the common way to obtain such a relation. Let q be a degree one 
prime ideal oi Kf, whose norm is q. We can write q = {q,rq), with Vq a root of 
/ modulo q (hence \rq\ < q). We need to compute two ideals qi, q 2 G Kf whose 
respective norm is a multiple of q, and sieve over aqi -I- 6 q 2 . The classical way 
to construct these two ideals is to reduce the two-dimensional lattice generated 


by q and Vq — af, i.e. to compute LLL 



Ml Ml 

U2 V2 


to obtain two 


® One computes the derivative of the function ha.bix) = a^/x -I- this is = 

^ and find that the minimum of h for a; > 0 is ha,6((^)^^^) = 

With a — 2/3^^^ and b = e/3, we obtain the minimum: h((^)^^®) = (3e)^^®. 
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degree-one ideals ui +viaf,U 2 +V 20 'f with shorter coefficients. One sieves over 
Vf = {aui + bu 2 ) + (avi + bv 2 )otf and Xg = {aui -\- bu 2 ) + (avi + bv 2 )oig. The new 
ideals obtained in the relations will be treated as new special-gs until a relation 
of ideals of norm bounded by Bq is found, where Bq is the bound on the factor 
basis, so that the individual logarithms are finally known. The sieving is done 
in three stages, for the three ranges of parameters. 

1. For q = Lq[2/3,/3i]: large special-g; 

2. For q = Lq[A,/32 ] with 1/3 < A < 2/3: medium special-q; 

3. For q = Lq[1/3, small special-q. 

The proof of the complexity is not trivial at all, and since this step is allegedly 
cheaper than the two main phases of sieving and linear algebra, whose complexity 
is Lq[1/3, the proofs are not always expanded. 

There is a detailed proof in [11, §4.3] and [4, §7.3] for prime fields Fp. We 
found another detailed proof in [18, §B] for large characteristic fields Fpn, however 
this was done for the polynomial selection of [19, §3.2] (which has the same main 
asymptotic complexity Lq[ 1/3, (^)i/3]). In [22, §4, pp. 144-150] the NFS-DL 
algorithm is not proposed in the same order: the booting and descent steps (step 
(5) of the algorithm in [22, §2]) are done as a first sieving, then the relations are 
added to the matrix that is solved in the linear algebra phase. What corresponds 
to a booting step is proved to have a complexity bounded by Lq[ 1/3, 3^/^] and 
there is a proof that the descent phase has a smaller complexity than the booting 
step. There is a proof for the JLSVi polynomial selection in [18, §C] and [3, §A] 
for a MNFS variant. We summarize in Tab. 2 the asymptotic complexity formulas 
for the booting step and the descent step that we found in the available papers. 


Table 2. Complexity of the booting step and the descent step for computing one 
individual DL, in Fp and Fp»>, in medium and large characteristic. The complexity is 
given by the formula Lq[1/3,c], only the constant c is given in the table for ease of 
notation. The descent of a medium special-g, bounded by Lq[A,c] with 1/3 < A < 2/3, 
is proven to be negligible compared to the large and small special-g descents. In [18, 
§B,C], the authors used a sieving technique over ideals of degree t > 1 for large and 
medium special-q descent. 


reference 

finite field 

polynomial 

selection 

target 

norm bound 

booting 

step 

descent step 

large j med. j small 

[11, §4.3] 

Fp 

JL03 [17] 

P 

1.44 

<1.44 

[4, Tab. 7.1] 

Fp 

JL03 [17] 

P 

1.23 

1.21 

neg. 

0.97 

[22, §4] 

Fpn, large p 

gJL 

Q 

1.44 

< 1.44 

[18, §B] 

Fpn, large p 

JLSV2 

Q 

1.44 

- 

neg. 

1.27 

[18, §C] 

Fpn, med. p 

JLSVi variant 

Q"+“, a~ 0.4 

1.62 

- 

neg. 

0.93 

[3, §A] 

Fpn, med. p 

JLSVi 

0^7^ 

1.65 

< 1.03 


Usually, the norm of the target is assumed to be bounded by Q (this is clearly 
the case for prime fields Fp). The resulting initialization step (finding a boot 
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for the descent) has complexity Lq[ 1/3, 3^/^ « 1.44]. Since the large special- 
q descent complexity depends on the size of the largest special-g of the boot, 
lowering the norm, hence the booting step complexity and the largest special-g 
of the boot also decrease the large special-g descent step complexity. It would 
be a considerable project to rewrite new proofs for each polynomial selection 
method, according to the new booting step complexities. However, its seems to 
us that by construction, the large special-g descent step in these cases has a 
(from much to slightly) smaller complexity than the booting step. The medium 
special-g descent step has a negligible cost in the cases considered above. Finally, 
the small special-g descent step does not depend on the size of the boot but on 
the polynomial properties (degree, and coefficient size). We note that for the 
JLSV 2 polynomial selection, the constant of the complexity is 1.27. It would be 
interesting to know the constant for the gJL and Conjugation methods. 

The third and final step of individual logarithm computation is very fast. It 
combines all of the logarithms computed before, to get the final discrete loga¬ 
rithm of the target. 


4 Computing a Preimage in the Number Field 


Our main idea is to compute a preimage in the number field with smaller degree 
(less than degs) and/or of coefficients of reduced size, by using the subfield 
structure of Fpn. We at least have one non-trivial subfield: Fp. In this section, 
we reduce the size of the coefficients of the preimage. This reduces its norm and 
give the first part of the proof of Theorem 1. In the following section, we will 
reduce the degree of the preimage when n is even, completing the proof. 


Lemma 2. Let s G F*„ = degs < n. Let £ be a non-trivial 

divisor of <L’n(p). Let s' = u ■ s with u in a proper subfield o/F^n. Then 

log s' = log s mod £ . (3) 

Proof. We start with log s' = log s -f log u and since u is in a proper subfield, we 
have = 1, then = 1. Hence the logarithm of u modulo £ 

is zero, and log s' = log s mod £. □ 


Example 1 (Monic preimage). Let s' be equal to s divided by its leading term, 
s' = —-—s G Fpn. We have log s' = log s mod £. 

^deg s ^ 


We assume in the following that the target s is monic since dividing by its leading 
term does not change its logarithm modulo £. 
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4.1 Preimage Computation in the JLSVi Case 

Let s = Y!h=o ^ with s„_i = 1. We define a lattice of dimension n by 
the n X n matrix 



P 

\ 

0 



: > 

L = 

P 

n—2 


So ■ ■ ■ Sn-2 1 _ 

n—\ } 


n — 1 rows 


row n — 1 with s coeffs 


with p on the diagonal for the first n— 1 rows (from 0 to n—2), and the coefficients 
of the monic element s on row n — 1. Applying the LLL algorithm to M, we 
obtain a reduced element r — J’iA* G Kf such that 

n — 1 

r = ^ aiLi 

i^O 

with Li the vector defined by the i-th row of the matrix and at a scalar in Z. We 
map this equality in with p. All the terms cancel out modulo p except the 
line with s: 

p{r) = p{an-i) ■ p{s) = u ■ s mod {p,-ip) 
with u = p(an-i) € Fp. Hence, by Lemma 2, 

log/9(r) = logs mod £ . (4) 


Moreover, 

Ikiioo < . 

It is straightforward, using Inequality (I), to deduce that 

Norm;^^/Q(r) = = 0(Qi-^) . 

We note that this first simple improvement applied to the JLSVi construction is 
already better than doing nothing: in that case, Norm;fj,/Q(s) = 0(Q2 ~^). The 

norm of r is smaller by a factor of size Q". For n = 2 we have Normxp/Q(r’) = 
0{Qi) but for n = 3, the bound is Norm;^:j:/Q(r) = 0{Q), and for n = 4, 
This is already too large. We would like to obtain such a bound, 
strictly smaller than 0{Q), for any n. 


4.2 Preimage Computation in the gJL and Conjugation Cases 

Let s = Xr=o^ ^ with s„_i = I. In order to present a generic method 
for both the gJL and the Conjugation methods, we denote by d/ the degree of 
/. In the gJL case we have d/ = d+ I>n + I, while in the Conjugation case, 
df = 2n. We define the df x df matrix with p on the diagonal for the first n—1 
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rows, and the coefficients of the monic element s on row n — 1. The rows n to df 
are filled with the coefficients of the monic polynomial with 0<j < df — n. 


L = 


' p 

: ] 

p 

n-2 J 

So ■■ ■ Sn -2 1 

n—1 } 

V'O V'l • • • i’n-l 1 

:) 

1 

• 7 

-5- 

■' 

_I 

df-i } 




n — 1 rows 


row n — 1 with s coeffs 
df — n rows with ^|) coeffs 


Applying the LLL algorithm to L, we obtain a reduced element r = ^ G 

Kf such that r = ^ where Li is the i-th row vector of L and is 

a scalar in Z. We map this equality into with p. All the terms cancel out 
modulo (p, ^p) except the one with s coefficients: 

p{r) = p{an-i) ■ pis) = u ■ s mod (p,-ip) 
with u = p(a„_i) G Fp. Hence, by Lemma 2, 

logp(r) = logs mod £ . (5) 


Moreover, 

Ikiioo < . 

It is straightforward, using Inequality (I), to deduce that 

Norm;,^/Q(r) = . 

Here we obtain a bound that is always strictly smaller than Q for any n. In the 
next section we show how to improve this bound to when n is even 

and the number field defined by ip has a well-suited quadratic subfield. 

5 Preimages of Smaller Norm with Quadratic Subfields 

Reducing the degree of s can reduce the norm size in the number field for the 
JLSV 1 polynomial construction. We present a way to compute r G Fpn of degree 
n — 2 from s G Fpn of degree n in the given representation of Fpn, and r, s 
satisfying Lemma 2. We need n to be even and the finite field Fpn to be expressed 
as a degree-n/2 extension of a quadratic extension defined by a polynomial of a 
certain form. We can define another lattice with r and get a preimage of degree 
n — 2 instead of n — I in the number field. This can be interesting with the 
JLSVi method. Combining this method with the previous one of Sec. 4 leads to 
our proof of Theorem I. 
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5.1 Smaller Preimage Degree 

In this section, we prove that when n is even and F^n = ¥p\X]/{ip^X)) has a 
quadratic base field Fp 2 of a certain form, from a random element s G F^n with 
Sn-i ^ 0, we can compute an element r G F^n with r„_i = 0, and s = u - r with 
u G Fp 2 . Then, using Lemma 2, we will conclude that logr = logs mod £. 

Lemma 3. Let ipiX) be a monic irreducible polynomial of¥p[X] of even de¬ 
gree n with a quadratic subfield defined by the polynomial Py = -\- yiY + yo- 

Moreover, assume that splits over¥p 2 =¥p\Y]/{PyfY)) as 

fi{X) = {PfiX)-Y){PfiX)-YP) 
or fi{X) = (PfiX) - YXfiPfiX) - YPX) 

with Pz monic, of degree nj^ and coefficients in Fp. Let s G Fp[X]/(^(X)) a 
random element, s = 

Then there exists r G Fpn monic and of degree n — 2 in X, and u G Fp 2 , such 
that s = u ■ r in Fpn. 

We first give an example for s G Fp 4 then present a constructive proof. 

Example 2. Let Py = + j/iF + j/o be a monic irreducible polynomial over Fp 

and set Fp 2 = ¥p[Y]/{Py(Y)). Assume that — FZ+ 1 is irreducible over Fp 2 
and set Fp 4 = Fp 2 [Z]/(Z2 - FZ + 1). Let = X'^ + yiX^ + (yo + 2.)X'^ + yiX + 

1 be a monic reciprocal polynomial. By construction, ip factors over Fp 2 into 
— FX + 1)(X^ — F^X + 1) and ¥p[X\/{ip{X)) defines a quartic extension 
Fp 4 of Fp. We have these two representations for Fp 4 : 

Fp 4 = Fp 2 [Z]/(Z2 -YZ + l) and Fp 4 = Fp[X]/(X4 + y^X^ + (j/q + 2)X2 + y^X + 1) 

I I 

Fp 2 =Fp[F]/(F2+yiF + 2 /o) I 

I I 

Fp Fp 


Proof (of Lemma 3). Two possible extension field towers are: 

Fp„ = Fp2[Z]/(P,(Z) - F) Fpn = Fp2[Z]/(P,(Z) - FZ) 

I I 

Fp 2 = Fp[F]/(Py(F)) and Fp 2 = Fp[F]/(Py(F)) 

I I 

Fp Fp 

We write s in the following representation to emphasize the subfield structure: 

nj2-l 

s = (oio + aiiF)Z* with G Fp . 

i=0 
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1. liip = Pz{Z) — Y then we can divide s by ult = an/ 2,0 + o,n/ 2 ,iP G (the 

leading term in Z, i.e. the coefficient of to make s monic in Z up to a 

subfield cofactor ult- 

n/ 2-2 

— = V (&*o + hiY)Z^ + Z”/2-i ^ 

1^0 

with the coefficients bij in the base field Fp, and bio+buY = {aio+aiiY)/uLT- 
Since Pz{Z) = Y and Z = ZT in F^n by construction, we replace Y by Pz{Z) 
and Z by X to get an expression for s in X: 

n/ 2-2 

— = V {b ^0 + b,iPz{X))X^ + = r{X) . 

Ult ^ 

i—O 

The degree in ZT of r is deg r = deg Pz{X)X^/‘^~‘^ = n — 2 instead of deg s = 
n — 1. We set u = Ifu^T- By construction, u G Fp 2 . We conclude that 
s = ur G Fpn, with deg r = n — 2 and u G Fp 2 . 

2. If 7 /> = Pz(Z) — YZ then we can divide s by uct = ooo + agiY G Fp 2 (the 
constant term in Z) to make the constant coefficient of s to be 1: 


■s 

Uct 


n/ 2-1 

1 + {bio + biiY)Z^ 

i=l 


with bij G Fp. Since Pz(Z) = YZ and Z = in Fpn by construction, we 
replace YZ by Pz(Z) and Z by X to get 

n/ 2-1 

— = 1 + V (w* + h^Pz{X)X^-^) = riX) . 

The degree in X of r is degr = degPz{X)X'^^'^~^~^ = n — 2 instead of 
degs = n — 1. We set u = 1/uct- By construction, u G Fp 2 . We conclude 
that s = ur G Fpn, with deg r = n — 2 and u G Fp 2 . □ 

Now we apply the technique described in Sec. 4.1 to reduce the coefficient 
size of r in the JLSVi construction. We have r„_i = 0 and we assume that 
r „_2 = 1. We define the lattice by the (n — 1) x (n — 1) matrix 



P 


0 

] 

^ n — 2 rows 

L = 


P 

n—3 

J 



ro ■ 

■ ■ rn-3 1 . 

n-2 

}row n — 2 with r coeffs 


n—lxn—1 


After reducing the lattice with LLL, we obtain an element r' whose coeffi- 

n-2 

cients are bounded by Cp^-^. The norm of r in the number field Kf constructed 
with the JLSVi method is 

Normx^/Q(r') = 0(p5"-2-drT) = 0(Q5-«“n(n-i)) , 
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This is better than the previous O (Q = 2 n) case: the norm is smaller by a factor 
of size 0((3 2 "'*'"("-!)). For n = 4, we obtain Norm^j,/Q(r') = 0{Q^), which 
is strictly less than 0{Q). 

We can do even better by re-using the element r of degree n — 2 and the 
given one s of degree n — 1 , and combining them. 

Generalization to subfields of higher degrees. It was pointed out to us by an 
anonymous reviewer that more generally, by standard linear algebra arguments, 
for m I n and s G Fpn, there exists a non-zero u £ Fpm such that s • u is a 
polynomial of degree at most n — m. 

5.2 Smaller Preimage Norm 

First, suppose that the target element s = satisfies s„_i = 0 and 

Sn -2 = 1- We can define a lattice whose vectors, once mapped to Fpn, are either 
0 (so vectors are sums of multiples of p and ^p) or are multiples of the initial 
target s, satisfying Lemma 2. The above r of degree n — 2 is a good candidate. 
The initial s also. If there is no initial s of degree n — 1, then simply take at 
random any m in a proper subfield of Fpn which is not Fp itself and set s = u - r. 
Then s will have s„_i ^ 0. Then define the lattice 


ro ... r„_3 1 

•So • • • •Sn-3 Sn-2 1 

nxn 

and use it in place of the lattices of Sec. 4.1 or 4.2. 

5.3 Summary of results 

We give in Table 3 the previous and new upper bounds for the norm of s in 
a number field Kf for three polynomial selection methods: the JLSVi method, 
the generalized Joux-Lercier method and the Conjugation method, and the com¬ 
plexity of the booting step to find a B-smooth decomposition of Norm; 4 :^/Q(s). 
We give our practical results for small n, where there are the most dramatic 
improvements. We obtain the optimal norm size of for n = 2, 3, 5 with 

the gJL method and also for n = 4 with the Conjugation method. 

6 Practical examples 

We present an example for each of the three polynomial selection methods we 
decided to study. The Conjugation method provides the best timings for Fp 2 at 
180 dd [ 6 ]. We apply the gJL method to FpS according to [ 6 , Fig. 3]. We decided 
to use the JLSVi method for Fp 4 [ 6 , Fig. 4]. 


) n — 2 rows 

n -2 } row n — 2 with r coeffs 
n-i } row n — 1 with s coeffs 
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Table 3. Norm bound of the preimage with our method, and booting step complexity. 


Fpn 

poly. 

selec. 

norm bound 

booting step Lq[^,c] 

1 practical values of c 

nothing 

JLSV 

this work 


this work 

H 


n = 4 


n = 6 

any n > 1 
even n > 4 

gJL 


Q 


1.44 

(3(1 

( 3 ( 1 - 1 ))'/" 

1.14 

1.26 

1.14 

1.34 

1.26 

any n > 1 
even n > 4 

Conj 

Q" 

Q 

^aam 

1.44 

(3(1-i))'/" 
(3(1-1))'/" 

1.14 

1.26 

1.14 

1.34 

1.26 

any n > 1 
even n > 4 

JLSVi 



Q3/2-3/{2n) 

g3/2-5/(2n) 

1.65 

(1(1-^))"^ 

(i(3-^))'/" 

1.31 

1.44 

1.38 

1.53 

1.48 


6.1 Examples for Small n and of 180 Decimal Digits (dd) 

Example for n — 2, Conjugation Method. We take the parameters of 
the record in [6]: p is a 90 decimal digit (300 bit) prime number, and f,ip are 
computed with the Conjugation method. We choose a target s from the decimal 
digits of exp(l). 

P = 314159265358979323846264338327950288419716939937510582097494459230781640628620899877709223 

f =x‘^ + 1 

ijj = 107781513095823018666989883102244394809412297643895349097410632508049455376698784691699593 X + 1 

S = 271828182845904523536028747135319858432320810108854154561922281807332337576949857498874314 X 
-|-95888066250767326321142016575753199022772235411526548684808440973949208471194724618090692 


0 
0 
0 

[0 1 V'l 1. 

then LLL(L) produces r of degree 3 and coefficient size Actually LLL 

outputs four short vectors, hence we get four small candidates for r, each of norm 
Normjfj,/Q(r) = 0{p) = 0{Q^/'^) = i.e. 90 dd. To slightly improve 

the smoothness search time, we can compute linear combinations of these four 
reduced preimages. 

360339728645720582847ia;^ + 136790355536430097110782;^ + 55774624708519489565942; + 856176942703613067714 
92194613244821908148932;^ — 44981757963338549260132;^ + 89577500254946738221982; + 1117888241691130060409 
282683909446241831417022;^ + 5699666741226225385259X^ — 178019404032168663329112; + 5448432247710482696848 
33521627929414631400602;^ + 32125850122356929022872;^ — 55706365180847591255132; + 46926508290544662542327 

The norm of the first element is 


We first compute s' = then reduce 


L = 


p 0 0 

s'o 1 0 

1 V’l 1 


Normj^^/Q(r) = 21398828029520168611169045280302428434866966657097075761337598070760485340948677800162921 

of 90 decimal digits, as expected. For a close to optimal running-time of Lq [1 /3,1.14] ^ 
2"^° to find a boot, the special-g bound would be around 64 bits. 
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Example for n — 3, gJL Method. We take p of 60 dd (200 bits) so that 
Fp3 has size 180 dd (600 bits) as above. We took p a prime made of the 60 first 
decimal digits of tt. We constructed /, ip , g with the gJL method described in [6]. 

P = 314159265358979323846264338327950288419716939937510582723487 

/ = — X + 1 

Ip = X^ + 227138144243642333129902287795664772043667053260089299478579X^ 

+126798022201426805402186761110440110121157863791585328913565X “h 86398309157441443539791899517788388184853963071847115552638 
g = 287767088987135456608033317246385224990821439lX^ + 609951652432557506082184162014047061886340388lX^ 

—10123533234834473316053289623165756437267298403X “h 2029073371791914965976041284208208450267120556 
S = 271828182845904523536028747135319858432320810108854154561922X^ H" 281807332337576949857498874314095888066250767326321142016575X 
+ 75319902277223541152654868480858951626493739297259139859875 

We set s' = — s. The lattice to be reduced is 

S2 

p 0 0 0 

_ 0 p 0 0 

^ “ sj) s'l 1 0 

_ 1p0 1pi 1p2 1_ 

then LLL(L) computes four short vectors r of degree 3, of coefficient size 0(p^/^), 
and of norm size Normj^j,/Q(r) = 0{p^) = = 0((3‘^^"^/”). 

1597749306375059000939093070182;^ + 1658196318321050944499877748142;^ + 1778281993224195536012663549042; — 159912786936943488400590389195 
1365830293545209052324129410482;^ — 5212698472255311884333529274532;^ + 3227224155628536715868684927212; + 255238068915917937217884608875 
1182890075989340687266630002662;^ + 4990134899728940598585439763632;^ — 1050842208618441557970157136662; + 535978811382585906107397024241 

3 2 

411603890054539500131474313773X — 240161030577722451131067159670X — 373289346204280810310169575030X — 389720783049275894296185820094 

The norm of the first element is 

Norm^^yQ(r) = 997840136509677868374734441582077227769466501519927620849763845265357390584602475858356409809239812991892769866071779 

of 117 decimal digits (with |180 = 120 dd). For a close to optimal running-time 
of Lq[ 1/3, 1.26] ~ 2'*® to Hnd a boot, the special-g bound would be around 77 
bits. 

Example for n — A, JLSVi Method. 

P = 314159265358979323846264338327950288419980011 

£ = 49348022005446793094172454999380755676651143247932834802731698819521755649884772819780061 

j = Ip = + X^ + 70898154036220641093162X^ + X + 1 

g = 101916096427067171567872X + 101916096427067171567872X^ + 22080632887404989855101lX^ 

+ 101916096427067171567872X + 101916096427067171567872 

S = 271828182845904523536028747135319858432320810X^ + 108854154561922281807332337576949857498874314X^ 

+95888066250767326321142016575753199022772235X + 41152654868480844097394920847127588391952018 
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We set s' = -^s. The subfield simplification for s gives 

2 I I 

T = X “h 134969122397263102979743226915282355400161911X H” 104642440649937756368545765334741049207121011 . 

We reduce the lattice defined by 

p 0 0 0 

, _ 0 p 0 0 

ro n 1 0 
_Sg s'l S2 1_ 

then LLL(L) produces these four short vectors of degree 3, coefiicient size 
and norm Normj^j,/Q(r') = 0{p^) = 0{Q'^/^) (smaller than 0(Q)). 

5842961997149263751946X^ + 290736827330861011376X^ — 5618779793817086743792X + 1092494800287557029045 
16408426439031611753593;^ + 155525902691318895895753;^ — 44254883941638382713783; — 5734086421794811858814 
64506869065045253748533;^ + 137687712426509573994193;^ + 106175839442340908805793; + 16261617079167797580912 
1692913580413987886539lX^ + 698185571704810258344X^ + 12799300411012246114079X — 22787282698718065284157 

The norm of the first element is 

N0rm/^^/Q(T’^) = 14521439292172711151668611104133579982787299949310242601944218977645007049527\ 
012365602178307413694530274906757675751698466464799004360546745210214642178285 

of 155 decimal digits (with |l80 = 157.5). For a close to optimal running-time of 
Lq[ 1/3, 1.34] ~ 2^® to find a boot, the special-q bound would be approximately 
of 92 bits. This is very large however. 

6.2 Experiments: finding boots for Fp4 of 120 dd 

We experimented our booting step method for Fp4 of 120 dd (400 bits). Without 
the quadratic subfield simplification, the randomized target norm is bounded by 
q 9/8 Qf ]^35 (' 45 Q bits). The largest special-g in the boot has size Lq[2/3, 3/4] 

(25 dd, 82 bits) according to Lemma 1 with e = 9/8. The running-time to find 
one boot would be Lq[1/3, 1.5] ~ 2“^"^. 

We apply the quadratic subfield simplification. The norm of the randomized 
target is of 105 dd (~ 350 bits). We apply theorem 1 with e = 7/8. The size 
of the largest special-g in the boot will be approximately Lq[ 2/3, 0.634] which is 
21 dd (69 bits). The running-time needed to find one boot with the special-g of 
no more than 21 dd is Lq[ 1/3, 1.38] ~ 2'^° (to be compared with the dominating 
part of NFS-DL of Lq[ 1/3, 1.923] ~ 2^"^). We wrote a magma program to find 
boots, using GMP-ECM for g-smooth tests. We first set a special-g bound of 70 
bits and obtained boots in about two CPU hours. We then reduced the special-q 
bound to a machine word size (64 bits) and also found boots in around two CPU 
hours. We used an Intel Xeon E5-2609 0 at 2.40CHz with 8 cores. 
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7 Conclusion 


We have presented a method to improve the booting step of individual logarithm 
computation, the final phase of the NFS algorithm. Our method is very efficient 
for small n, combined with the gJL or Conjugation methods; it is also usefull for 
the JLSVi method, but with a slower running-time. For the moment, the booting 
step remains the dominating part of the final individual discrete logarithm. If our 
method is improved, then special-g descent might become the new bottleneck 
in some cases. A lot of work remains to be done on final individual logarithm 
computations in order to be able to compute one individual logarithm as fast as 
was done in the Logjam [2] attack, especially for n > 3. 
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